跳到主要內容

ACL

編號型 ACL (1~99)
=========================================
只針對Source Address做回應

ex:
r1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
r1(config)#interface fa 0/0

r1(config-if)#ip access-group 1 in

允許 192.168.1.0/24 從 fa 0/0 連入

r1#show access-lists
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
(有一條隱性的拒絕 deny any)

192.168.1.254 0.0.0.0 可簡寫
host 192.168.1.254
192.168.1.254


0.0.0.0 255.255.255.255 可簡寫
any

套用在VTY Access

r1(config)#line vty 0 15
r1(config-line)#access-class 1 in


可以用Show ip interface fa 0/0可以看介面有沒有套用ACL
R1#show ip interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 192.168.10.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled




編號型延伸的ACL (100~199)
===================================================
r1(config)#access-list 101 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.00.255 eq 21
r1(config)#access-list 101 deny ip any any
r1#show access-lists
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
Extended IP access list 101
    10 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq ftp
    20 deny ip any any
r1(config-if)#ip access-group 101 in

命名型標準的ACL
===================================================

r1(config)#ip access-list standard test
r1(config-std-nacl)#deny 192.168.1.10 0.0.0.0
r1(config-std-nacl)#deny host 192.168.1.11
r1(config-std-nacl)#exit
r1(config)#interface fa 3/0
r1(config-if)#ip access-group test out


r1#show access-lists
Standard IP access list test
    20 deny   192.168.1.11
    10 deny   192.168.1.10


留言

這個網誌中的熱門文章

HP A5120 Switch 基本設定

沒用過HP的Switch,指令跟Cisco完全不同,花了一些時間熟悉~ 1.啟動Spanning-Tree,預設沒有開啟 (黑色粗體是我敲的指令) <HP> system-view System View: return to User View with Ctrl+Z. [HP] stp enable [HP] %Apr 26 12:03:59:826 2000 HP MSTP/6/MSTP_ENABLE: STP is now enabled on the device. %Apr 26 12:03:59:918 2000 HP MSTP/6/MSTP_FORWARDING: Instance 0's GigabitEthernet1/0/17 has been set to forwarding state. %Apr 26 12:04:00:068 2000 HP MSTP/6/MSTP_DETECTED_TC: Instance 0's GigabitEthernet1/0/17 detected a topology change. #Apr 26 12:04:00:208 2000 HP MSTP/1/PFWD: hwPortMstiStateForwarding: Instance 0's Port 0.9437200 has been set to forwarding state! 2.DHCP Snooping   (黑色粗體是我敲的指令) 假設我的DHCP Server接在24 Port,其他Port不允許有DHCP Server <HP> system-view System View: return to User View with Ctrl+Z. [HP] dhcp-snooping  DHCP Snooping is enabled. [HP] interface GigabitEthernet 1/0/24 [HP-GigabitEthernet1/0/24 ]dhcp-snooping trust 若是沒有Port 設成dhcp-snooping trust,那麼這台Switch就沒有Client可以從DHCP Serv...

2台 Vigor 2920建立 LAN To LAN VPN (IPsec)

我有兩台Vigor 2920,環境如下: Vigor B 撥出 LAN:192.168.1.0/24 Vigor A 撥入 LAN:172.16.1.0/24 設定如下: Vigor B設定 Vigor A設定 詳細設定請參考官網 http://www.draytek.com/index.php?option=com_k2&view=item&id=2666&Itemid=264&lang=tw

Cisco Switch 發生Loopback

User告知網路無法使用,看了Switch的狀況後,發現那個Port的狀態是Error Disable,接著又看了Switch的log Feb  8 12:14:14 TW: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: 2c56.dc86.xxxx Feb  8 12:15:49 TW: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: 2c56.dc86.xxxx Feb  8 12:18:00 TW: %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/10. Feb  8 12:18:00 TW: %PM-4-ERR_DISABLE: loopback error detected on Fa0/10, putting Fa0/10 in err-disable state Feb  8 12:18:01 TW: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down Feb  8 12:18:02 TW: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to down 應該是User私接設備,除了造成Loopback之外,又在隨便發放IP....... 不過因為那個User比較特殊,先教育了一下之後,再把那個Port shutdown , no shutdown,接著把Recovery設了上去,下次如果再遇到相同狀況,10分鐘後會自動恢復 xxx...